Bad Android apps can take many forms. Whether they are out to steal data, sign you up for premium rate SMS services, or pushing dodgy and malicious links via advertiser networks, users need to beware. SecurityWatch is partnering with a handful of security companies who monitor apps on Google Play and third-party marketplaces to identify malicious apps you should avoid.

If you happen to already have it, immediately remove the apps from your Android device and check your bill for unexplained charges.

Theoretically, malware can target any mobile platform. There are Zeus-in-the-mobile variants targeting BlackBerry devices, Java exploits targeting Symbian phones, and the occasional proof-of-concept going after iOS devices. But for the most part, when anyone talks about dangerous mobile apps, they mean Android apps.

For this week's list (Memorial Day edition) we have three apps Appthority's CTO Kevin Watkins found on third-party Websites and a bonus app BitDefender flagged on Google Play for using aggressive ad networks.

[1] Fake Google Play InstallerAppthority found Fake Google Play Installer on a third-party Website that had "Google" in its domain name. Part of BadBadPiggies and Android.FakeInstaller malware families, this bad app targets European and Russian users.

When the app is running, it displays a fake progress bar that doesn't do anything and sends text messages to premium rate numbers in the background. The app sends statistics, such as the mobile device identifiers and the number of premium rate SMS messages it has sent, over to a Google account "Android Cloud to Device Messaging."

[2] Zoukmobile Top MusicZoukomobile Top Music is one of the several fake apps Appthority found on a third-party platform. When the app is running, it displays a list of popular artists, such as David Guetta, along with songs that users can listen to. The app uses the SMS subscription service "Zoukmobile" (a reference to wireless application service and SMS subscription provider in Malaysia) to charge users around $4 a week for streaming music.

The app actually has a terms of service agreement where it explains that users will be charged a fee for the streaming service. "The app is using commercial music that likely was downloaded illegally and charging an absurd amount, giving it a malware rating from us," Appthority said.

[3] Fake TankAppthority found Android.OpFake malware inside Fake Tank, which was distributed through another Website. When the app runs, the user sees a form pointing to another Website that Website informs you—via a terms of service page—that you are being signed up for a premium SMS subscription service while the app is sending messages.

[4] Fart Sounds Machine Version 2.2'10BitDefender found Fart Sounds Machine, version 2.2 on Google Play. The app has a four star rating and has been downloaded between 500,000 to a million times. This app uploads the device's unique id to static.leadbolt.net and AirPush—an aggressive ad network. The app also uploads your phone number, location, and email address to AirPush. AirPush is known for displaying ads in the notification area and advertisement icons on the user's Home screen. However, the data transfer requires the user to opt-in first.

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Internet infrastructure, and open source.
Follow me on Twitter: zdfyrashid
More »